Hi Owen,
> The credentials are authorization information; "This request is from <username>
> who claims the right to access <requested-uri> in <realm>"
I'm not sure I see what sense you consider this authorization
information. As I pointed out, even clear authentication information
is an input to authorization decisions, so it's not incorrect to call
even the digest "information for the authorization decision". It does,
however, confuse people to call either the digest or the credentials
(in this case) simply "authorization information".
The credentials do not drive the authorization decision the way
capabilities (or, if I dare, ANSA credentials :-) drive authorization
decisions. They're not emitted and protected by a trusted authority;
they don't (usually) grant authorization by their very existance. What
they do is tie the request (at some level) to the authentication
information. Both the request (method and URI) and the authentication
information (username and realm; the realm is strictly for
authentication I believe) are necessary for the authorization
decision. But, I would argue (I do argue :-), the information that
drives the authorization decision is more likely to be a database like
the .htaccess file (or a separately passed capability or ANSA-like
credential, vouched for by an appropropriate authorization authority).
Mez